From ecad3e75ff8aa4a14811efaad8e6b9436eb6774b Mon Sep 17 00:00:00 2001 From: Leorize Date: Sat, 18 Jan 2025 13:38:29 -0600 Subject: [PATCH] fix(flatpak): construct null-terminated array for arguments The variant format string `^aay` is said to be equivalent to g_variant_new_bytestring_array. Given that no length parameter is provided, g_variant_new assumed a null-terminated array, but the array constructed by the code was not, causing a crash as glib exceed the read boundaries to copy arbitrary memory. This commit replaces the array construction code to use its arena equivalents instead of trying to build one using glib, and make sure that the resulting array is null-terminated. --- src/os/flatpak.zig | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/src/os/flatpak.zig b/src/os/flatpak.zig index faac4bd27..09570554e 100644 --- a/src/os/flatpak.zig +++ b/src/os/flatpak.zig @@ -265,16 +265,12 @@ pub const FlatpakHostCommand = struct { } // Build our args - const args_ptr = c.g_ptr_array_new(); - { - errdefer _ = c.g_ptr_array_free(args_ptr, 1); - for (self.argv) |arg| { - const argZ = try arena.dupeZ(u8, arg); - c.g_ptr_array_add(args_ptr, argZ.ptr); - } + const args = try arena.alloc(?[*:0]u8, self.argv.len + 1); + for (0.., self.argv) |i, arg| { + const argZ = try arena.dupeZ(u8, arg); + args[i] = argZ.ptr; } - const args = c.g_ptr_array_free(args_ptr, 0); - defer c.g_free(@as(?*anyopaque, @ptrCast(args))); + args[args.len - 1] = null; // Get the cwd in case we don't have ours set. A small optimization // would be to do this only if we need it but this isn't a @@ -286,7 +282,7 @@ pub const FlatpakHostCommand = struct { const params = c.g_variant_new( "(^ay^aay@a{uh}@a{ss}u)", @as(*const anyopaque, if (self.cwd) |*cwd| cwd.ptr else g_cwd), - args, + args.ptr, c.g_variant_builder_end(fd_builder), c.g_variant_builder_end(env_builder), @as(c_int, 0),